Bug 1798453 (CVE-2020-8608) - CVE-2020-8608 QEMU: Slirp: potential OOB access due to unsafe snprintf() usages
Summary: CVE-2020-8608 QEMU: Slirp: potential OOB access due to unsafe snprintf() usages
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8608
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1798454 1800515 1800516 1800517 1834479 1798966 1798969 1798970 1798971 1798972 1798973 1798974 1798975 1798976 1798977 1798978 1798979 1798980 1798981 1798982 1798983 1798984 1798993 1798994 1800427 1800441 1800443 1800518 1834475 1834476 1834477 1834478 1834758 1834759 1834760 1845560
Blocks: 1798415
TreeView+ depends on / blocked
 
Reported: 2020-02-05 11:59 UTC by Prasad J Pandit
Modified: 2020-07-21 14:31 UTC (History)
47 users (show)

Fixed In Version: libslirp-4.3.0
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds heap buffer access flaw was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in tcp_emu() routine while emulating IRC and other protocols due to unsafe usage of the snprintf(3) function. A user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.
Clone Of:
Environment:
Last Closed: 2020-03-17 22:31:47 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1976 None None None 2020-04-30 09:13:28 UTC
Red Hat Product Errata RHBA-2020:1977 None None None 2020-04-30 09:17:36 UTC
Red Hat Product Errata RHSA-2020:0889 None None None 2020-03-17 17:56:47 UTC
Red Hat Product Errata RHSA-2020:1208 None None None 2020-03-31 21:16:23 UTC
Red Hat Product Errata RHSA-2020:1209 None None None 2020-03-31 21:16:35 UTC
Red Hat Product Errata RHSA-2020:1261 None None None 2020-04-01 07:44:55 UTC
Red Hat Product Errata RHSA-2020:1292 None None None 2020-04-02 07:26:46 UTC
Red Hat Product Errata RHSA-2020:1300 None None None 2020-04-02 10:26:42 UTC
Red Hat Product Errata RHSA-2020:1351 None None None 2020-04-07 09:43:43 UTC
Red Hat Product Errata RHSA-2020:1352 None None None 2020-04-07 10:28:36 UTC
Red Hat Product Errata RHSA-2020:1379 None None None 2020-04-07 10:31:34 UTC
Red Hat Product Errata RHSA-2020:1403 None None None 2020-04-08 08:58:31 UTC
Red Hat Product Errata RHSA-2020:2342 None None None 2020-06-01 06:41:24 UTC
Red Hat Product Errata RHSA-2020:2730 None None None 2020-06-24 12:25:02 UTC
Red Hat Product Errata RHSA-2020:2773 None None None 2020-06-30 13:58:16 UTC
Red Hat Product Errata RHSA-2020:2774 None None None 2020-06-30 14:08:33 UTC
Red Hat Product Errata RHSA-2020:2844 None None None 2020-07-07 10:19:52 UTC
Red Hat Product Errata RHSA-2020:3040 None None None 2020-07-21 14:31:54 UTC

Description Prasad J Pandit 2020-02-05 11:59:27 UTC
A out-of-bounds heap buffer access issue was found in the SLiRP networking implementation
of the QEMU emulator. It occurs in tcp_emu() routine while emulating IRC and
other protocols due to unsafe usage of snprintf(3) function.

A user/process could use this flaw to crash the Qemu process on the host
resulting in DoS or potentially execute arbitrary code with privileges of the 
QEMU process on the host. Also with SELinux and sVirt access control in
place, malicious activity is restricted.

Upstream patch:
---------------
  -> https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843
  -> https://gitlab.freedesktop.org/slirp/libslirp/commit/30648c03b27fb8d9611b723184216cd3174b6775

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/02/06/2

Comment 1 Prasad J Pandit 2020-02-05 11:59:38 UTC
Acknowledgments:

Name: Laszlo Ersek (redhat.com)

Comment 2 Prasad J Pandit 2020-02-05 12:00:26 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1798454]

Comment 10 Prasad J Pandit 2020-02-07 05:47:06 UTC
Statement:

This issue affects user-mode or SLiRP networking implementation of the QEMU emulator. Though qemu-kvm package is built with SLiRP networking support, due to its limitations, it is not used by the virtual machine guests by default.

This issue affects versions of the qemu-kvm package as shipped with Red Hat Enterprise Linux 5, 6, 7, 8 and Red Hat Enterprise Linux Advanced Virtualization 8. Future qemu-kvm package updates for Red Hat Enterprise Linux 6, 7, 8 and Red Hat Enterprise Linux Advanced Virtualization 8 may address this issue.

Red Hat Enterprise Linux 5 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This issue is currently not planned to be addressed in its future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Red Hat OpenStack Platform:                                                                                                                 
This flaw impacts KVM user-mode or SLIRP networking, which is not used in Red Hat OpenStack Platform. Although updating is recommended for affected versions (see below), Red Hat OpenStack Platform environments are not vulnerable.

Comment 11 Prasad J Pandit 2020-02-07 05:47:10 UTC
Mitigation:

This issue can only be resolved by applying updates.

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 21 errata-xmlrpc 2020-03-17 17:56:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:0889 https://access.redhat.com/errata/RHSA-2020:0889

Comment 22 Product Security DevOps Team 2020-03-17 22:31:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8608

Comment 26 errata-xmlrpc 2020-03-31 21:16:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1208 https://access.redhat.com/errata/RHSA-2020:1208

Comment 27 errata-xmlrpc 2020-03-31 21:16:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1209 https://access.redhat.com/errata/RHSA-2020:1209

Comment 28 errata-xmlrpc 2020-04-01 07:44:52 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.1.1

Via RHSA-2020:1261 https://access.redhat.com/errata/RHSA-2020:1261

Comment 29 errata-xmlrpc 2020-04-02 07:26:44 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:1292 https://access.redhat.com/errata/RHSA-2020:1292

Comment 30 errata-xmlrpc 2020-04-02 10:26:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2020:1300 https://access.redhat.com/errata/RHSA-2020:1300

Comment 31 errata-xmlrpc 2020-04-07 09:43:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:1351 https://access.redhat.com/errata/RHSA-2020:1351

Comment 32 errata-xmlrpc 2020-04-07 10:28:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:1352 https://access.redhat.com/errata/RHSA-2020:1352

Comment 33 errata-xmlrpc 2020-04-07 10:31:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1379 https://access.redhat.com/errata/RHSA-2020:1379

Comment 34 errata-xmlrpc 2020-04-08 08:58:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1403 https://access.redhat.com/errata/RHSA-2020:1403

Comment 44 errata-xmlrpc 2020-06-01 06:41:21 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.2

Via RHSA-2020:2342 https://access.redhat.com/errata/RHSA-2020:2342

Comment 47 errata-xmlrpc 2020-06-24 12:24:54 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:2730 https://access.redhat.com/errata/RHSA-2020:2730

Comment 48 errata-xmlrpc 2020-06-30 13:58:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2773 https://access.redhat.com/errata/RHSA-2020:2773

Comment 49 errata-xmlrpc 2020-06-30 14:08:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2774 https://access.redhat.com/errata/RHSA-2020:2774

Comment 50 errata-xmlrpc 2020-07-07 10:19:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2844 https://access.redhat.com/errata/RHSA-2020:2844

Comment 51 errata-xmlrpc 2020-07-21 14:31:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3040 https://access.redhat.com/errata/RHSA-2020:3040


Note You need to log in before you can comment on or make changes to this bug.